Cyber-security experts told WikiTribune why suspicion of the U.S. National Security Agency holds back cooperation on encryption

Cyber-security experts told WikiTribune why suspicion of the U.S. National Security Agency holds back cooperation on encryption

Highlights

Highlights

Cyber-security relies on testing your allies, but Snowden leaks showed the NSA went too far - expert , Delegates at meeting in Wuhan were suspicious of the US's motives , Encryption project will proceed, but some delegates see it as incompatible with aims of government agencies

Cyber-security relies on testing your allies, but Snowden leaks showed the NSA went too far - expert , Delegates at meeting in Wuhan were suspicious of the US's motives , Encryption project will proceed, but some delegates see it as incompatible with aims of government agencies

Content

Content

<b>Suspicion towards the U.S. National Security Agency (NSA) is holding back cooperation in the vital area of encryption, experts told <i>WikiTribune, </i>after an NSA plan </b><b>to increase global encryption standardization for the "<a href="https://en.wikipedia.org/wiki/Internet_of_things">internet of things</a>" was rejected by a leading body.</b><b> </b>

<b>Suspicion towards the U.S. National Security Agency (NSA) is holding back cooperation in the vital area of encryption, experts told <i>WikiTribune, </i>after an NSA plan </b><b>to increase global encryption standardization for the "<a href="https://en.wikipedia.org/wiki/Internet_of_things">internet of things</a>" was rejected by a leading body.</b><b> </b>

<span style="font-weight: 400;">On April 24, delegates to the International Organization for Standardization (ISO) met behind closed doors in Wuhan, China, and </span><a href="https://www.wikitribune.com/story/2018/04/20/internet/67004/67004/"><span style="font-weight: 400;">voted to end a program</span></a><span style="font-weight: 400;"> to adopt two forms of encryption championed by the NSA. The plan had </span><a href="https://www.reuters.com/article/us-cyber-standards-insight/distrustful-u-s-allies-force-spy-agency-to-back-down-in-encryption-fight-idUSKCN1BW0GV"><span style="font-weight: 400;">already been reduced</span></a><span style="font-weight: 400;"> in 2017 due to delegates’ suspicions towards the agency. <em>(Read the <a href="https://www.wikitribune.com/story/2018/04/20/business/exclusive-nsa-encryption-plan-for-internet-of-things-rejected-by-international-body/67004/">exclusive WikiTribune story here</a>.)</em> </span>

<span style="font-weight: 400;">On April 24, delegates to the International Organization for Standardization (ISO) met behind closed doors in Wuhan, China, and </span><a href="https://www.wikitribune.com/story/2018/04/20/internet/67004/67004/"><span style="font-weight: 400;">voted to end a program</span></a><span style="font-weight: 400;"> to adopt two forms of encryption championed by the NSA. The plan had </span><a href="https://www.reuters.com/article/us-cyber-standards-insight/distrustful-u-s-allies-force-spy-agency-to-back-down-in-encryption-fight-idUSKCN1BW0GV"><span style="font-weight: 400;">already been reduced</span></a><span style="font-weight: 400;"> in 2017 due to delegates’ suspicions towards the agency. <em>(Read the <a href="https://www.wikitribune.com/story/2018/04/20/business/exclusive-nsa-encryption-plan-for-internet-of-things-rejected-by-international-body/67004/">exclusive WikiTribune story here</a>.)</em> </span>

The NSA <a href="https://www.atlasobscura.com/articles/a-brief-history-of-the-nsa-attempting-to-insert-backdoors-into-encrypted-data" rel="external">has a track record</a> (<i>Atlas Obscura</i>) of trying to install vulnerabilities, or backdoors, into security tools, including forms of encryption. This dispute over the Simon and Speck algorithms – which would have been included in household objects such as smart speakers, fridges, lighting and heating systems – showed the agency still lacks the trust of many countries, including U.S. allies.

The NSA <a href="https://www.atlasobscura.com/articles/a-brief-history-of-the-nsa-attempting-to-insert-backdoors-into-encrypted-data" rel="external">has a track record</a> (<i>Atlas Obscura</i>) of trying to install vulnerabilities, or backdoors, into security tools, including forms of encryption. This dispute over the Simon and Speck algorithms – which would have been included in household objects such as smart speakers, fridges, lighting and heating systems – showed the agency still lacks the trust of many countries, including U.S. allies.

<span style="font-weight: 400;">“In the cyberspace, alliances are quite different than in the conventional strategic spaces,” said Dr. Nicolas Mazzucchi, from the Foundation for </span><span style="font-weight: 400;">Strategic</span><span style="font-weight: 400;"> Research in Paris.</span>

<span style="font-weight: 400;">“In the cyberspace, alliances are quite different than in the conventional strategic spaces,” said Dr. Nicolas Mazzucchi, from the Foundation for </span><span style="font-weight: 400;">Strategic</span><span style="font-weight: 400;"> Research in Paris.</span>

<span style="font-weight: 400;">“In traditional military, having an alliance is, above all, sharing the strengths. In the cyberspace, on the contrary, alliances are made upon the sharing of vulnerabilities,” said Mazzucchi, explaining that allied agencies test each other’s vulnerabilities and share solutions. They even sometimes test the strengths of their allies’ security, on the basis of mutual trust, and the understanding that one ally’s weakness makes them all potentially vulnerable.</span>

<span style="font-weight: 400;">“In traditional military, having an alliance is, above all, sharing the strengths. In the cyberspace, on the contrary, alliances are made upon the sharing of vulnerabilities,” said Mazzucchi, explaining that allied agencies test each other’s vulnerabilities and share solutions. They even sometimes test the strengths of their allies’ security, on the basis of mutual trust, and the understanding that one ally’s weakness makes them all potentially vulnerable.</span>

<span style="font-weight: 400;">Leaks from whistleblower <a href="https://www.wikitribune.com/story/2018/01/05/free_speech/qa-edward-snowden-on-rights-privacy-secrets-and-leaks-in-conversation-with-jimmy-wales/26810/">Edward Snowden,</a> including the allegation that the <a href="https://www.theguardian.com/world/2013/oct/24/nsa-surveillance-world-leaders-calls">NSA tapped the phones</a> (<em>Guardian</em>) of 35 world leaders including German Chancellor Angela Merkel and then-French President Francois Hollande, undermined the good faith on which this relationship was built, said Mazzucchi.</span>

<span style="font-weight: 400;">Leaks from whistleblower <a href="https://www.wikitribune.com/story/2018/01/05/free_speech/qa-edward-snowden-on-rights-privacy-secrets-and-leaks-in-conversation-with-jimmy-wales/26810/">Edward Snowden,</a> including the allegation that the <a href="https://www.theguardian.com/world/2013/oct/24/nsa-surveillance-world-leaders-calls">NSA tapped the phones</a> (<em>Guardian</em>) of 35 world leaders including German Chancellor Angela Merkel and then-French President Francois Hollande, undermined the good faith on which this relationship was built, said Mazzucchi.</span>

<span style="font-weight: 400;">“Their distrust over the NSA-run ISO program could be regarded as a will to explore other ways to achieve a satisfying level of cybersecurity, avoiding [the risk of] communications [being] systematically intercepted by the U.S. intelligence agencies,” said Mazzucchi.</span>

<span style="font-weight: 400;">“Their distrust over the NSA-run ISO program could be regarded as a will to explore other ways to achieve a satisfying level of cybersecurity, avoiding [the risk of] communications [being] systematically intercepted by the U.S. intelligence agencies,” said Mazzucchi.</span>

<span style="font-weight: 400;">“If those designs were not coming from NSA, they would not have received the attention they did,” Stefan Kölbl, who advised the Danish delegation to the ISO, told </span><i><span style="font-weight: 400;">WikiTribune</span></i><span style="font-weight: 400;">.</span>

<span style="font-weight: 400;">“If those designs were not coming from NSA, they would not have received the attention they did,” Stefan Kölbl, who advised the Danish delegation to the ISO, told </span><i><span style="font-weight: 400;">WikiTribune</span></i><span style="font-weight: 400;">.</span>

<span style="font-weight: 400;">This suspicion is not entirely down to Snowden, he added. “There has been a long history of conflicts between the widespread application of strong cryptography and NSA, but it definitely brought the issue to a broader audience and also revealed the full scope to us on the effort being carried out to subvert secure systems,” said Kölbl.</span>

<span style="font-weight: 400;">This suspicion is not entirely down to Snowden, he added. “There has been a long history of conflicts between the widespread application of strong cryptography and NSA, but it definitely brought the issue to a broader audience and also revealed the full scope to us on the effort being carried out to subvert secure systems,” said Kölbl.</span>

<span style="font-weight: 400;">Dr. Tomer Ashur of KU Leuven University in Belgium was the most ardent opponent of the plan, according to several people <em>WikiTribune</em> contacted who were at the meeting.</span>

<span style="font-weight: 400;">Dr. Tomer Ashur of KU Leuven University in Belgium was the most ardent opponent of the plan, according to several people <em>WikiTribune</em> contacted who were at the meeting.</span>

<span style="font-weight: 400;">“Of course the NSA's history was looming over us like a black cloud, but I don't think this was a prime factor [in closing the program],” Ashur told </span><i><span style="font-weight: 400;">WikiTribune</span></i><span style="font-weight: 400;">. </span>

<span style="font-weight: 400;">“Of course the NSA's history was looming over us like a black cloud, but I don't think this was a prime factor [in closing the program],” Ashur told </span><i><span style="font-weight: 400;">WikiTribune</span></i><span style="font-weight: 400;">. </span>

<span style="font-weight: 400;">“Many crypto experts both within and outside ISO had concerns about the security of the algorithms,” said Ashur. “The NSA tried to remain as obscure as it could about certain design decisions and parameter choices they have made. As this is out of line with what is perceived as best practices of cipher design, this alarmed some of the delegates, including myself.”</span>

<span style="font-weight: 400;">“Many crypto experts both within and outside ISO had concerns about the security of the algorithms,” said Ashur. “The NSA tried to remain as obscure as it could about certain design decisions and parameter choices they have made. As this is out of line with what is perceived as best practices of cipher design, this alarmed some of the delegates, including myself.”</span>

<span style="font-weight: 400;">Specific requests for more detailed information were met with obfuscation, said Ashur.</span>

<span style="font-weight: 400;">Specific requests for more detailed information were met with obfuscation, said Ashur.</span>

<span style="font-weight: 400;">“I can't speak for the other delegates but I believe it was these concerns together with the adversarial and aggressive behavior of the NSA that eventually led them to support the cancellation of the project,” he said.</span>

<span style="font-weight: 400;">“I can't speak for the other delegates but I believe it was these concerns together with the adversarial and aggressive behavior of the NSA that eventually led them to support the cancellation of the project,” he said.</span>

The NSA has acknowledged a <em>WikiTribune</em> request for comment, but has not yet offered a response.

The NSA has acknowledged a <em>WikiTribune</em> request for comment, but has not yet offered a response.

Standardizing encryption for the internet of things is perfectly achievable, said <span style="font-weight: 400;">Kölbl, but the dispute with the NSA has convinced many developers that</span><span style="font-weight: 400;"> their mission might not be compatible with the aims of government intelligence agencies.</span>

Standardizing encryption for the internet of things is perfectly achievable, said <span style="font-weight: 400;">Kölbl, but the dispute with the NSA has convinced many developers that</span><span style="font-weight: 400;"> their mission might not be compatible with the aims of government intelligence agencies.</span>

<span style="font-weight: 400;">“In general it is healthy to be very careful with cryptographic algorithms coming out of any intelligence agency, as there is often some sort of conflict of interests,” said Kölbl. “One group inside such an organization might have a general interest in providing strong cryptographic algorithms, however other parts will also have the goal to insert vulnerabilities into commercial encryption systems.”</span>

<span style="font-weight: 400;">“In general it is healthy to be very careful with cryptographic algorithms coming out of any intelligence agency, as there is often some sort of conflict of interests,” said Kölbl. “One group inside such an organization might have a general interest in providing strong cryptographic algorithms, however other parts will also have the goal to insert vulnerabilities into commercial encryption systems.”</span>

<span style="font-weight: 400;">“I think in the end this whole controversy will be beneficial to the standardization process at ISO,” he said. “It showed that we need to have clearer rules stated which enforce transparency from the designers of a cryptographic algorithm before we consider them for standardization and there has been a lot of discussion going on, on how to improve this process.”</span>

<span style="font-weight: 400;">“I think in the end this whole controversy will be beneficial to the standardization process at ISO,” he said. “It showed that we need to have clearer rules stated which enforce transparency from the designers of a cryptographic algorithm before we consider them for standardization and there has been a lot of discussion going on, on how to improve this process.”</span>

<span style="font-weight: 400;">The proposal to adopt Simon and Speck was only an amendment to existing standards, said Ashur, meaning there are ISO-approved standards for this type of encryption. The U.S. National Institute of Standards and Technology, which also contributed to the U.S. delegation, has made further recommendations for types of algorithms that Ashur said he expects the academics at the ISO to be more open to.</span>

<span style="font-weight: 400;">The proposal to adopt Simon and Speck was only an amendment to existing standards, said Ashur, meaning there are ISO-approved standards for this type of encryption. The U.S. National Institute of Standards and Technology, which also contributed to the U.S. delegation, has made further recommendations for types of algorithms that Ashur said he expects the academics at the ISO to be more open to.</span>

<span style="font-weight: 400;">[contribute-c2a text="Know a fact to enhance this story? You can edit it" buttons="edit"]</span>

<span style="font-weight: 400;">[contribute-c2a text="Know a fact to enhance this story? You can edit it" buttons="edit"]</span>

WikiTribuneWikiTribuneOpen menuCloseSearchLikeBackNextOpen menuClose menuPlay videoRSS FeedShare on FacebookShare on TwitterShare on RedditFollow us on InstagramFollow us on YoutubeConnect with us on LinkedinConnect with us on DiscordEmail us